As financial institutions accelerate their shift into cloud-first architectures, automated processes and AI-driven decisioning, regulators across Europe are tightening expectations around digital resilience.
Banks and financial-services firms are facing an increasingly complex compliance landscape, one where software testing, operational risk controls and ICT-governance frameworks form the backbone of regulatory scrutiny.
Supervisors have made clear that the stability of the financial system now depends as much on software reliability, data integrity and third-party ICT dependencies as on traditional capital or liquidity metrics.
The European Union’s flagship Digital Operational Resilience Act (DORA) has become a defining force in this shift, consolidating previously fragmented ICT-risk rules into a single regime and elevating resilience testing to a regulatory requirement.
It was against this backdrop that Christina Papaconstantinou, Deputy Governor of the Bank of Greece, used a recent address at the World Banking Forum in Athens to deliver a pointed assessment of where firms stand, and where they are falling behind.
The Bank of Greece, which is the central bank of the Hellenic Republic and a member of the European System of Central Banks (ESCB) and the Eurosystem, performs a ranage of regulatory and supervisory functions. It is the primary banking supervisor in Greece, responsible for overseeing Greek credit institutions.
DORA reshapes compliance baseline
Papaconstantinou opened with an acknowledgment that “finance becomes overwhelmingly digital,” highlighting the sector’s growing reliance on “cloud infrastructure, data-driven processes and … AI capabilities to deliver services faster and more effectively.”
But she warned that these same capabilities increase fragility. The dense digital interconnections between countries, markets and third-party ICT providers “amplif[y] operational and cyber risks, including concentration in critical ICT service providers and more complex incident cascades.”
She emphasised that DORA provides “for the first time … a single, technology-neutral framework on digital operational resilience across the financial sector.”
Instead of navigating multiple overlapping legislative texts, institutions now face a unified rulebook, but with far more explicit expectations for testing, monitoring and third-party oversight.
Among the most significant changes are common major incident reporting, mandatory threat-led penetration testing (TLPT) every three years for selected entities, and direct EU-level oversight of critical ICT third-party providers (CTPPs).
Her message to banks was clear: operational resilience must no longer be treated as a narrow IT domain. It must be a firm-wide discipline embedded in governance, risk frameworks and technology-delivery pipelines.
Mapping, testing and third-party controls still lagging
Drawing on early supervisory observations, roughly ten months after DORA entered into application, Papaconstantinou noted that progress across institutions varies widely.
Credit institutions, she said, tend to be further ahead, whereas insurers, payment firms and e-money institutions are still establishing the foundations.
A recurring weakness is “operational mapping,” where some firms struggle “to map critical or important functions against accountable owners, supporting processes, information assets and ICT services,” and to maintain accurate, up-to-date inventories in constantly evolving environments.
“Many banks still lack clarity on what constitutes a major incident, alongside slow escalation paths and inconsistent notifications.”
– Christina Papaconstantinou
Papaconstantinou also called out gaps in vendor management. Institutions must maintain “a high-quality error-free Register of Information” and adopt contract standards that guarantee “rights to audit and test, visible sub-outsourcing, meaningful exit strategies and data-portability clauses.”
Incident-response capabilities remain inconsistent. “Many banks still lack clarity on what constitutes a major incident,” she warned, “alongside slow escalation paths and inconsistent notifications” during crises.
Resilience testing programmes also require strengthening. Annual or risk-based testing must be supported by coordinated internal teams or “purple-team” setups, with credible threat-intelligence feeds and specialised testing partners.
Papaconstantinou reiterated the need for institutions to adopt a “firm-wide digital operational resilience strategy,” complete with scenario-testing plans, investment roadmaps and regular board oversight.
Beyond DORA
Papaconstantinou also addressed other regulatory pillars reshaping technology and testing obligations.
She noted that MiCAR, the EU’s crypto-asset framework, has been fully applicable since 30 December 2024, seeking to ensure market integrity and safeguard investors. But she warned of risks stemming from “multi-issuance schemes” that may offer stablecoins under more lenient terms than traditional conglomerates, a potential source of arbitrage.
On the AI Act, entering full force in 2026, she described efforts to balance innovation with risk controls, emphasising transparency, human oversight, data-governance and post-market monitoring for high-risk systems.
Finally, she pointed to Basel IV/CRR III/CRD VI as the next major supervisory horizon, with implications for governance, stress testing and prudential management, especially for third-country banks.
In closing, Papaconstantinou cautioned that efforts to streamline regulation should not be mistaken for deregulation.
Simplification, she said, involves removing unnecessary burden and shortening implementation timelines, not weakening the safeguards that underpin financial stability.
“Supervision and regulation,” Papaconstantinou stated, “form a framework that preserves financial stability, protects depositors and shields the real economy from the impact of bank failure.”
For software-testing and QA teams, the takeaway is clear: as digital transformation accelerates and regulators expand their lens, testing is no longer a back-office function. It is a regulatory safeguard, and now a frontline requirement for compliance.
Why not become a QA Financial subscriber?
It’s entirely FREE!
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Inside JPMorgan’s $18bn QA push with OmniAI reshaping testing
- As AI takes hold, insurance firms face a new testing mandate
- K2view’s Amitai Richman calls out the ‘real bottleneck’ in healthcare and insurance
- AI in QA: how flexible testing is redefining assurance for financial firms
- Explainer: Why site reliability engineering is gaining momentum in banking
WATCH NOW
